VULNERABILITY DETAILS
Due to an issue in the way right-to-left (RTL) UTF8 control codes are handled when part of a URL where the hostname is an IP address (and not a resolved name), a malicious actor can cause the URL location bar on Chrome to appear to indicate a different domain than the one actually visited. This, in turn, can enable hijinks by crafting login pages that appear to be for the attacker's target domain.

This was publicly disclosed, in error, by Rafay Baloch, here:

https://bugs.chromium.org/p/chromium/issues/detail?id=609680

Ultimately, this issue should be closed as a dupe of that issue, but I wanted to make sure this got on the radar of security folks, rather than just sitting around in a public bug report.

VERSION

This is most recently reproduced on:

Chrome Version: 50.0.2661.95
Operating System: Apple iOS 9.3.1

Chrome Version: 50.0.2661.94
Operating System: Apple OSX 10.11.4

Chrome Version: 49.0.2623.91
Operating System: Android Lollipop

Interestingly, this does not appear to affect the Windows build of Chrome.

REPRODUCTION CASE

Visit the following link:

http://173.255.206.36/%EF%B9%B0http://google.com/login (any IP address will do)

Note the URL Location bar displays as: 

http://google.com/login'/173.255.206.36 (UTF character converted to ' for readability)

while copying and pasting the link gives the "true" location, of:

http://173.255.206.36/%EF%B9%B0http://google.com/login

The Location bar is the only indicator to the user as to where a page is actually hosted. This would not interfere with normal in-code operations on hosts (certificate validation and the like), but would appear to be enough to trick an eyeball.

Screenshots are attached to the original issue, at #609680.